National Security

Rabid Response

Is the Pentagon crazy enough to bring nukes to a cyberfight?

The latest Bond flick, Skyfall, could well be the most realistic of the entire series. Its villain, disgruntled ex-MI-6 operative and creepy cyber-hacker Raoul Silva, launches massive cyberattacks from his high-tech lair on a deserted island somewhere off of Macau. He threatens to commandeer the infrastructure of entire nations at the speed of light with the mere push of a button, leaving nary a trace. Who needs cyclopytic henchmen or sharks-with-frickin'-laser-beams-attached-to-their-heads when you can invisibly disrupt power grids around the globe by merely hitting the "Enter" key?

As it turns out, our most senior defense officials and intelligence chiefs, as well as top CEOs, are now grappling with this very issue: What to do about the Raoul Silvas of the world before they wreak cyber-havoc on the nation? The problem is that some in the Pentagon are threatening "deterrence" via kinetic reprisals -- including nuclear counterattacks in the most extreme cases -- that could actually encourage the very cyberattacks the government hopes to prevent.

In the latest report from the Office of the Director of National Intelligence (DNI), cyberthreats climbed from being the number-three threat last year to the number-one position -- beating even terrorism to claim the top spot. In introducing the Worldwide Threat Assessment to the Senate, DNI James Clapper said that "when it comes to the distinct threat areas, our statement this year leads with cyber.... [I]t's hard to overemphasize its significance." And yet cyberattacks have yet to cause damage in the way a military strike could. A sobering article by Thomas Rid in Foreign Policy points out that not a single fatality has yet been attributed to any cyberattack.  

On the other hand, about $100 billion is believed to be lost annually to cyber-crime, cyber-extortion, cyber-espionage of corporate secrets, and in cleaning-up and addressing those threats. So it certainly makes sense to get out ahead of cyber-insecurities instead of waiting and reacting to a more metastasized crisis in a few years. The question is, when do cyber-intrusions cross the line from being an expensive criminal nuisance to a national-level concern requiring military intervention or military threats? And, relatedly, how should the United States divide the nation's cybersecurity mission between the civilians (at the FBI and the Department of Homeland Security) and the military?

This is where the recent 146-page report from the Pentagon's Defense Science Board, "Resilient Military Systems and the Advanced Cyber Threat," comes in. A 33-member panel of government and civilian experts was charged with reviewing the robustness of Pentagon defenses against cyberattacks and making recommendations to improve them. Although the report contains many sensible recommendations, it also makes an outrageous and counter-productive one: It suggests threatening the use of nuclear weapons in response to the most severe cyberattacks. "Deterrence is achieved with offensive cyber, some protected-conventional capabilities, and anchored with U.S. nuclear weapons," the report states, adding, "Cyber risk can be managed through the combination of deterrence (up to a nuclear response in the most extreme case) and improved cyber defense."

Nuclear deterrence isn't the best analogy for addressing cyber-threats, and it is certainly the wrong policy. All through the Cold War, and even now, the United States had early-warning satellites that used infrared sensors to pinpoint where nuclear-tipped missiles may have come from, thus fulfilling the critical attribution criterion on which deterrence hinges. Nothing remotely equivalent exists in cyberspace. Another critical difference is the involvement of subnational groups. During the Cold War, if U.S. sensors indicated that missiles were coming from the Soviet Union, we had no doubt they were launched by the Soviet government. The same is not true of cyberattacks, which a group of teenagers in Russia could launch without the permission of their parents, let alone the government. Massive attacks can be carried out with cheap technology available to individuals. It's as if all citizens worldwide had easy access to squadrons of stealth fighters.

Openly threatening U.S. military responses to cyberattacks may just encourage hackers trying to cause mischief -- or subnational groups hoping to cause far worse. There are a number of dissident and terrorist groups in China -- not to mention extremist anti-government militias in the United States -- who would be happy to try to lead the United States into war with China. Even if we assume that they would not be able to trigger a nuclear response, it makes no sense to create incentives for them to do so by carrying out repeated malicious and severe cyberattacks against the United States. At best, threatening nuclear reprisal just legitimizes another use for nuclear weapons at a time when the United States is trying to reduce its reliance on them and ought to be setting a positive example.

The fundamental reason that deterrence does not translate well into the cyber realm is that true attribution is difficult in cyberspace. Even though cyber-sleuths can now trace attacks much better than even just a few years ago, it still is not good enough to determine exactly who carried out the attack and who may have sponsored it. Groups, whether state-sponsored or subnational, could also physically move overseas to launch attacks and thus reliably mislead attribution efforts. A group of Chinese hanging out in Paris for the summer would probably not attract much attention. Or they could hire hackers in a third country. One of the earliest documented hacking incidents, in 1986, was the "Cuckoo's Egg" intrusion into about 400 U.S. military computer systems -- to try to access documents on the Strategic Defense Initiative and nuclear bombs. After some first-rate sleuthing, the hacker was identified as a West German, Markus Hess, who was a paid recruit of the Soviet KGB.

But deterrence theory is not entirely useless in cyberspace. After all, you can deter an attacker not only by threatening to punish him in retaliation, but also by denying him any significant benefit from the attack. By making its systems highly resilient and instituting secure redundancies, the United States could make it seem futile for adversaries to attempt disrupting our computer systems.

The government is already taking steps to require stricter standards in designing more secure operating systems. Last month, President Obama signed an executive order and issued an accompanying presidential policy directive (PPD-21) that calls for a voluntary public-private approach to address cyber-threats to critical infrastructure. The measures appear to be a mixed bag: They encourage government agencies to share unclassified threat information with critical infrastructure operators, which is eminently sensible, but they also aim to impose mandatory regulations down the road, which may not be flexible enough to deal with rapidly mutating cyber-threats. The soundest solutions will likely come from innovation rather than legislation. One promising avenue for improving cybersecurity seems to be by migrating processing and data to a secure "cloud." Just as most of us place our money in a bank and not under the mattress, the future of secure computing might be in deterring cyberattacks by holding a small encrypted share in a massive cloud.

There is also a growing realization that some norms or rules for cybersecurity are a good idea. For example, this week, NATO's Co-operative Cyber Defense Center of Excellence released rules governing the conduct of cyberattacks by its members. Until recently, the United States was wary of negotiating rules of the road for cyberspace, essentially claiming that the laws of war sufficed. But following a series of well-publicized cyberattacks against the United States, the Obama administration now favors establishing ground rules for cyberspace, going so far as berating China for not abiding by (largely non-existent) international cyber norms. That won't be easy -- the United States would like to focus on cyber-espionage, while Russia and China want any rules to leave them free to censor the Internet -- but it is an essential step.

There should be no illusion that the cybersecurity problem is ever going to be solved entirely: The Internet is attractive because it is open, and being open is fundamentally at odds with being secure. We simply cannot legislate our way out of this problem. Like the war on drugs, it will continue. The real-world Raoul Silvas of the world will continue to cause cyber-havoc. We can respond by making our systems more resilient, improve our attribution abilities, and, to the extent possible, cooperate with other nations in smoking out the Silvas worldwide. But one thing we surely don't need in cyberspace is nukes: It's dangerous enough as it is.

Patrick Lux/Getty Images

Argument

Crowdsourcing Peace

By going over the heads of Israeli and Palestinian leaders, Obama is demanding that their people step up.

U.S. President Barack Obama's speech in Jerusalem was without question the strongest ever made by a senior American politician on the Israeli-Palestinian conflict. It was plainly designed to speak directly to the Israeli and Palestinian peoples over the heads of their political leaderships. It was an exercise in public diplomacy par excellence, intended to change the tone and atmosphere, and public perceptions of Obama himself, presumably as an adjunct to actual diplomatic efforts to lay the groundwork for eventually resuming negotiations.

The psychological, communication and political skill that was marshaled to give the speech its maximum impact with public opinion was quite extraordinary, and stands in contrast to some miscalculations Obama made about Israeli and Palestinian perceptions during his first term. By systematically downplaying expectations for his trip, Obama made the power of his speech and the boldness of some of the language and positions he staked out -- particularly regarding the realities Palestinians face under Israeli occupation -- surprising and therefore all the more striking.

Obama made the first day of his trip an extended exercise in telling the Israeli public everything it could possibly want to hear from an American president, ranging from "undying bonds of friendship" to robust reiterations of security commitment and a much yearned-for acknowledgment of the long Jewish history in the land. In retrospect, it's clear that what looked like public outreach bordering on pandering was, in fact, designed to transform Israeli perceptions of Obama himself in order to prepare them for some of the hard truths he was preparing to deliver the next day.

What Obama has done is to reassure and challenge Israelis and Palestinians alike. To Israelis, he reiterated America's undying support and commitment to Israel's security. But he confronted them with the fact that "the only way for Israel to endure and thrive as a Jewish and democratic state is through the realization of an independent and viable Palestine." He reassured Palestinians that the United States is not walking away from the effort to create an independent Palestinian state. But he told them they must recognize that "Israel will be a Jewish state" and challenged them, and the rest of the Arab world, to begin to normalize their relations with Israel.

From a Palestinian point of view, it was already highly significant that Obama was not just going to Israel but also Ramallah and Bethlehem for significant talks with both President Mahmoud Abbas and Prime Minister Salam Fayyad. This communicated several important messages: that the Palestinians are still an important factor in the equation, and that they have a leadership, including both Abbas and Fayyad, that is to be engaged with seriously. And by specifically and repeatedly citing the Palestinian Authority's institution-building and security measures led by Fayyad, Obama was sending a clear signal that he wants to continue to deal with the present Palestinian prime minister, who has been under considerable political pressure in recent months.

But the speech itself gave the Palestinians a much deeper recognition, and one they've never fully received from American officials in the past. Obama went to enormous lengths to humanize the Palestinians, comparing them to his own daughters and to the young people of Israel. He did not simply reiterate the American commitment to a two-state solution, he spoke of the "Palestinian people's right to ... justice." This can only be seen as a clear, albeit implicit statement that the status quo of occupation is an ongoing injustice. He challenged his Israeli audience to "look at the world through their [Palestinian] eyes," which speaks to the Palestinian need to be acknowledged as fully equal human beings by the Israelis. And Obama admonished Israel that "neither occupation nor expulsion is the answer," directly addressing the two main Palestinian historical traumas and ongoing anxieties.

The effectiveness of Obama's careful political and psychological preparation for these unprecedented statements with his Israeli audience was demonstrated by the sustained, and otherwise unimaginable, applause he received for almost all these remarks. He clearly went a long way in assuaging Israeli skepticism. Palestinians will be harder to win over, as they require more than words given the onerous conditions of the occupation and their repeated disappointment with successive American governments, and in particular with Obama's first term.

There is no question that Obama's extraordinary speech will have a significant impact on how he is perceived by both Israelis and Palestinians, although how long that lasts and what kind of political or diplomatic impact it will have very much remains to be seen.

One of the more remarkable aspects of this outreach was how it stood in stark contrast to his diplomacy with political leaders. He explicitly told the Israeli and Palestinian publics that he was directly addressing them, not only over the heads of their political leaders, but in order to challenge them to confront those leaders. If entrenched politicians have become an obstacle to peace -- and they may indeed have -- why not go around them? "Political leaders will not take risks if the people do not demand that they do," he said, adding, "You must create the change that you want to see."

Essentially, Obama was saying, "If you like what you've heard today, you have to help me because your leaders aren't going to cooperate without significant pressure from you. I can't do this alone, as I discovered in my first term. I need your help."

In his first term, Obama essentially tried dealing with the leaderships directly and barely engaging with the Israeli or Palestinian publics. One subliminal message of his speech might be that he discovered this approach is a dead end, and that to get beyond the present impasse requires more robust public engagement. Whether he's done enough to promote or sustain that will have to remain to be seen.

Diplomacy without sufficient outreach may have proven to be a failure in Obama's first term. But this kind of bravura performance of public diplomacy will have to be backed up with significant real diplomacy or it may be remembered as yet another inspiring Obama Middle East speech that ultimately produces more disappointment than tangible achievement. Still, if Obama was primarily trying to change the tone and the atmosphere in the region, and the way he is perceived by ordinary Israelis and Palestinians, it's hard to imagine how he could have been more effective than he has been over the past couple of days.

URIEL SINAI/Getty Images